Authenticating Subjects Authenticating users
Authentication steps
Authentication is divided into three steps: 1. Collect the basic information (principal) and authentication information (credential) of the user (Subject);
2. Submit the basic information (principal) and authentication information (credential) of the user (Subject);
3. Processing of authentication result information.
Step One:
UsernamePasswordToken token = new UsernamePasswordToken("username", "password"); token.setRememberMe(true);
Step Two:
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
Step Three:
try { currentUser.login(token); } catch (UnknownAccountException e) { // TODO user does not exist } catch (IncorrectCredentialsException e) { // TODO username or password is incorrect // For example, this exception might be thrown // if a user's password is "secret" and "secrets" was entered by mistake } catch (LockedAccountException e) { // TODO user is locked and cannot log in } catch (AuthenticationException e) { // Unexpected exception during TODO authentication }
AuthenticationStrategy authentication sequence
The Shiro SecurityManager implementation uses a ModularRealmAuthenticator instance by default. When two or more realms are configured for an application, the ModularRealmAuthenticator relies on the internal AuthenticationStrategy component to determine the conditions for the success or failure of an authentication attempt.
Shiro has 3 specific AuthenticationStrategy implementations: 1. AtLeastOneSuccessfulStrategy (any Realm authentication is successful), this implementation is used by default
2. FirstSuccessfulStrategy (the first Realm authentication is successful)
3. AllSuccessfulStrategy (all Realm authentication is successful)